summaryrefslogtreecommitdiff
path: root/test/vboot
diff options
context:
space:
mode:
authorMichael van der Westhuizen <michael@smart-africa.com>2014-07-02 10:17:26 +0200
committerTom Rini <trini@ti.com>2014-08-09 11:17:01 -0400
commite0f2f15534146729fdf2ce58b740121fd67eea1c (patch)
tree87cd55f630088b177050457ed0f3a3059997da17 /test/vboot
parent53022c3113a6670d21f55262f511ae6a07bb3dc4 (diff)
downloadu-boot-e0f2f15534146729fdf2ce58b740121fd67eea1c.tar.gz
Implement generalised RSA public exponents for verified boot
Remove the verified boot limitation that only allows a single RSA public exponent of 65537 (F4). This change allows use with existing PKI infrastructure and has been tested with HSM-based PKI. Change the configuration OF tree format to store the RSA public exponent as a 64 bit integer and implement backward compatibility for verified boot configuration trees without this extra field. Parameterise vboot_test.sh to test different public exponents. Mathematics and other hard work by Andrew Bott. Tested with the following public exponents: 3, 5, 17, 257, 39981, 50457, 65537 and 4294967297. Signed-off-by: Andrew Bott <Andrew.Bott@ipaccess.com> Signed-off-by: Andrew Wishart <Andrew.Wishart@ipaccess.com> Signed-off-by: Neil Piercy <Neil.Piercy@ipaccess.com> Signed-off-by: Michael van der Westhuizen <michael@smart-africa.com> Cc: Simon Glass <sjg@chromium.org>
Diffstat (limited to 'test/vboot')
-rwxr-xr-xtest/vboot/vboot_test.sh10
1 files changed, 9 insertions, 1 deletions
diff --git a/test/vboot/vboot_test.sh b/test/vboot/vboot_test.sh
index 8074fc6adc..6d7abb82bd 100755
--- a/test/vboot/vboot_test.sh
+++ b/test/vboot/vboot_test.sh
@@ -54,8 +54,16 @@ echo ${mkimage} -D "${dtc}"
echo "Build keys"
mkdir -p ${keys}
+PUBLIC_EXPONENT=${1}
+
+if [ -z "${PUBLIC_EXPONENT}" ]; then
+ PUBLIC_EXPONENT=65537
+fi
+
# Create an RSA key pair
-openssl genrsa -F4 -out ${keys}/dev.key 2048 2>/dev/null
+openssl genpkey -algorithm RSA -out ${keys}/dev.key \
+ -pkeyopt rsa_keygen_bits:2048 \
+ -pkeyopt rsa_keygen_pubexp:${PUBLIC_EXPONENT} 2>/dev/null
# Create a certificate containing the public key
openssl req -batch -new -x509 -key ${keys}/dev.key -out ${keys}/dev.crt